One thing that my husband has been up late working on is patches and fixes due to the Heartbleed bug, information about which was publicly disclosed at the beginning of this week. What is it, and how does it affect you?
Basically, an error in the coding of a system called Open SSL meant that a person could send a query to a server and receive in return a random chunk of the server’s memory. With enough querying over time, this same person could eventually gain enough clues to compile information about the users whose information is stored on the server.
A more compact explanation can be seen in visual form, here:
See that last panel? If you read the small print of the server’s text balloon, you’ll see that it states: “User Karen wants to change account password to…” It’s that kind of information that gets stored on a server, and that kind of information that can now be acquired due to this bug.
So, which sites and which services are affected by this bug? Mashable has a great list of popular sites and services here: The Heartbleed Hit List: The Passwords You Need to Change Right Now.
This is by no means a complete list, so here’s what you should do immediately to protect yourself and your private information:
- Change the passwords that you use on the sites mentioned on the Mashable list, immediately.
- If you used those passwords on other sites (because it was easier in your mind), change all of those passwords, too. Do not use the same password for different sites going forward.
- If a site or service which uses a secure certificate (you see https:// in your address bar at the top of your browser window when you browse to it rather than just https://) is not on the Mashable list, go to that site’s homepage to see if they have a comment on their News section about whether or not they use(d) Open SSL and/or if they’ve patched the problem. If they have, change your password. If they have not, inquire and keep hounding them until you get an answer.
In closing, please make sure you’re always using best and safe practices when using the Internet. Like going to the dentist, changing all your passwords is a tedious and unpleasant chore, but it must be done at least twice a year.
Your teeth—and your information security—will thank you for it.